OpenSSL is a cryptography toolkit that implements the Secure Sockets Layer (SSLv2/v3) and Transport Layer Security (TLS v1) network protocols.
The following features are omitted from the binaries for issues including but not limited to patents, trademark, and US export restrictions: ECC, IDEA, MDC2, RC3, RC5, Dynamic Engine Loading, 4758_CCA Engine, AEP Engine, Atalla Engine, CHIL Engine, CSWIFT Engine, GMP Engine, NURON Engine, PadLock Engine, Sureware Engine, and UBSEC Engine.
A new PKCS#11 engine has been included with ENGINE name pkcs11. The engine was developed in Sun and is not integrated in the OpenSSL project.
The PKCS#11 engine is configured to use the Solaris Cryptographic Framework. See cryptoadm(1M) for configuration information.
The PKCS#11 engine can support the following set of mechanisms: CKM_AES_CBC, CKM_AES_ECB, CKM_BLOWFISH_CBC, CKM_DES_CBC, CKM_DES_ECB, CKM_DES3_CBC, CKM_DES3_ECB, CKM_DSA, CKM_MD5, CKM_RC4, CKM_RSA_PKCS, CKM_RSA_X_509, CKM_SHA_1, CKM_SHA224, CKM_SHA256, CKM_SHA384, and CKM_SHA512.
The set of mechanisms available depends on installed Crypto Framework providers. To see what mechanisms can be offloaded to the Cryptographic Framework through the PKCS#11 engine on a given machine, run the following command:
/usr/sfw/bin/openssl engine -vvv -t -c
Due to requirements of the PKCS#11 standard regarding fork(2) behavior, some applications that use the OpenSSL EVP interfaces and fork() with active crypto contexts might experience unexpected behavior.
A FIPS Capable OpenSSL is available in /lib/openssl/fips-140. To use this version of OpenSSL on a per-application basis, LD_LIBRARY_PATH can be set. crle(1) can be used to select this version of OpenSSL for all applications.
# crle -a /lib/libcrypto.so.0.9.8 -o \ /lib/openssl/fips-140 # crle -64 -a /lib/64/libcrypto.so.0.9.8 -o \ /lib/openssl/fips-140/64
The FIPS Capable libcrypto and the non-FIPS Capable libcrypto are ABI compatible. One exception to this is the use of the CRYPTO_NUM_LOCKS preprocessor macro. Instead of using CRYPTO_NUM_LOCKS, the CRYPTO_num_locks(3openssl) function should be used instead.
Even when a FIPS Capable OpenSSL is used applications cannot automatically claim FIPS compliance. See the OpenSSL FIPS 140-2 User Guide at http://openssl.org/ for more information.
openssl(1openssl) can be run in FIPS mode. The environmental variable, OPENSSL_FIPS, must be set and the FIPS Capable OpenSSL libraries must be used.
# export LD_LIBRARY_PATH=/lib/openssl/fips-140 # export OPENSSL_FIPS=1 # openssl version OpenSSL 0.9.8k-fips 25 Mar 2009 (security fixes for: CVE- 2009-1377 CVE-2009-1378 CVE-2009-1379)
cc [ flag... ] file... -lcrypto -lssl [ library... ]
To build an OpenSSL application which supports a FIPS mode of operation, use the following cc command line options:
cc -I/usr/include/openssl/fips-140 -L/lib/openssl/fips-140 \ [ flag... ] file... -lcrypto -lssl [ library... ]
EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, UI_METHOD *ui_method, void *callback_data) EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id, UI_METHOD *ui_method, void *callback_data)
key_id, formerly for filenames only, can be now also set to a PKCS#11 URI. The EVP_PKEY structure is newly allocated and caller is responsible to free the structure later. To avoid clashes with existing filenames, file:// prefix for filenames is now also accepted but only when the PKCS#11 engine is in use. The PKCS#11 URI specification follows:
pkcs11:[token=<label>][:manuf=<label>][;serial=<label>] [;model=<label>][;object=<label>] [;objecttype=(public|private|cert)] [;passphrasedialog=(builtin|exec:<file>)]
The ordering of keywords is not significant. The PKCS#11 engine uses the keystore for the slot chosen for public key operations, which is metaslot on a standard configured machine. Currently, the PKCS#11 engine ignores the objecttype keyword. The only mandatory keyword is object which is the key object label. For information on how to use a different, possibly hardware, keystore with metaslot. Seelibpkcs11(3LIB).
The token PIN is provided by way of the passphrasedialog keyword and is either read from the terminal (builtin) or from the output of an external command (exec:<file>). The PIN is used to log into the token and by default is deleted from the memory then. The keyword pin is intentionally not provided due to inherent security problems of possible use of a password in the process arguments
Due to fork safety issues the application must re-login if the child continues to use the PKCS#11 engine. It is done inside of the engine automatically if fork is detected and in that case, exec:<file> option of the passphrasedialog keyword can be used. Alternatively, an environment variable OPENSSL_PKCS11_PIN_CACHING_POLICY can be used to allow the PIN to be cached in memory and reused in the child. It can be set to none which is the default, memory to store the PIN in memory, and mlocked-memory keep the PIN in a locked page using mlock(3C). PRIV_PROC_LOCK_MEMORY privilege is required in that case.
Sensitive parts of private keys are never read from the token to the process memory no matter whether the key is tagged with sensitive flag or not. The PKCS#11 engine uses the public components as a search key to get a PKCS#11 object handle to the private key.
To use the RSA keys by reference, high level API functions such as RSA_public_decrypt()(), EVP_PKEY_set1_RSA()(), or EVP_SignInit()() must be used. Low level functions might go around the engine and fail to make use of the feature.
Extensive additional documentation for OpenSSL modules is available in the /usr/share/man/man1openssl, /usr/share/man/man3openssl, /usr/share/man/man5openssl, and /usr/share/man/man7openssl directories.
To view the license terms, attribution, and copyright for OpenSSL, see /var/sadm/pkg/SUNWopensslr/install/copyright.
The following example generates and prints a public key stored in an already initilized PKCS#11 keystore. Notice the use of -engine pkcs11 and -inform e.
$ pktool gencert keystore=pkcs11 label=mykey \ subject="CN=test" keytype=rsa keylen=1024 serial=01 $ openssl rsa -in "pkcs11:object=mykey;passphrasedialog=builtin"\ -pubout -text -engine pkcs11 -inform e
See attributes(5) for a description of the following attributes:
/usr/share/man/man1openssl/openssl.1openssl, /usr/share/man/man1openssl/CRYPTO_num_locks.3openssl, /usr/share/man/man3openssl/engine.3, /usr/share/man/man3openssl/evp.3
OpenSSL FIPS 140-2 User Guide at http://openssl.org/